LearningTree · AWS · DevOps

AWS CloudFormation —
Infrastructure as Code

Define your entire AWS infrastructure in declarative templates. Version-controlled, repeatable, and automated — from a single EC2 instance to a multi-region architecture.

⚡ CloudFormation in 30 Seconds

Write your infrastructure in YAML/JSON templates — EC2, VPC, RDS, IAM, everything
CloudFormation creates and manages resources as a stack — a single unit
Update a stack by modifying the template — CloudFormation figures out the diff
Delete a stack → all resources cleaned up automatically (no orphaned resources)
Free to use — you only pay for the AWS resources created

Chapter One

What is CloudFormation

Introduction Introductory

AWS CloudFormation is an Infrastructure as Code (IaC) service that lets you define AWS resources in a text file (a template) and have CloudFormation create, update, and delete those resources for you.

👉 Think of CloudFormation as: A blueprint that AWS reads to automatically build your infrastructure

Instead of clicking through the AWS Console or writing imperative scripts, you declare what you want — and CloudFormation handles the how: dependency ordering, parallel creation, rollback on failure.

Why CloudFormation Exists Introductory

⚠️

Manual Infrastructure

Click-through console = undocumented
Hard to reproduce across environments
Drift between dev/staging/prod
No audit trail of changes
Cleanup is error-prone (orphaned resources)

✅

CloudFormation Solves

Infrastructure defined in code (YAML/JSON)
Identical environments with one template
Version-controlled in Git
Full audit trail via CloudTrail
Delete stack → all resources cleaned up

Core Concepts Core

Concept	What It Is	Analogy
Template	A YAML/JSON file describing AWS resources	The blueprint / recipe
Stack	A running instance of a template — the actual deployed resources	The built house
Change Set	A preview of what will change before you apply an update	A renovation proposal
Stack Set	Deploy one template across multiple accounts/regions	Build the same house in many cities
Drift Detection	Detect if actual resources differ from the template	Check if someone modified the house without the blueprint

How It Works Core

CloudFormation — Template to Stack Flow

Declarative vs Imperative Core

Approach	How It Works	Example
Imperative (scripts)	You describe how — step by step	AWS CLI: `aws ec2 run-instances ...` Then `aws ec2 create-security-group ...` Then `aws ec2 authorize-security-group-ingress ...`
Declarative (CloudFormation)	You describe what — the desired state	Template says: "I want an EC2 instance in a VPC with this SG" CloudFormation works out the order and creates everything

👉 Declarative wins because CloudFormation handles dependency resolution, parallelism, error handling, and rollback. You don't write "create VPC, then subnet, then route table, then EC2" — you declare all of them and CloudFormation figures out the order.

CloudFormation vs Terraform In-Depth

Feature	CloudFormation	Terraform
Provider	AWS-native (first-party)	HashiCorp (third-party, multi-cloud)
Language	YAML / JSON	HCL (HashiCorp Configuration Language)
State management	Managed by AWS (no state file to maintain)	You manage state file (S3 + DynamoDB for locking)
Rollback	Automatic on failure	Manual — you must handle it
Drift detection	Built-in	`terraform plan` shows drift
Multi-cloud	AWS only	AWS, Azure, GCP, and 3,000+ providers
Cost	Free	Free (OSS) / Paid (Terraform Cloud)
Best for	Pure AWS shops, AWS exam context	Multi-cloud, large teams with diverse infra

Where CloudFormation Fits Introductory

DevOps Lifecycle — Where IaC Sits

👉 Key Takeaway

CloudFormation turns infrastructure into code — declarative, version-controlled, and automatically provisioned. You describe what you want; CloudFormation handles how to build it.

Chapter Two

Templates & Stacks

Template Anatomy Core

A CloudFormation template is a YAML (or JSON) file with a defined structure. Here are the key sections — only Resources is required:

Section	Required?	Purpose
`AWSTemplateFormatVersion`	No	Template version date (always `"2010-09-09"` — hasn't changed)
`Description`	No	Human-readable description of the template
`Parameters`	No	Input values provided at deploy time (instance type, env name, etc.)
`Mappings`	No	Static key-value lookups (e.g., AMI IDs per region)
`Conditions`	No	Conditional resource creation (e.g., only create in prod)
`Resources`	Yes ✅	The AWS resources to create (EC2, S3, VPC, etc.)
`Outputs`	No	Values exported after stack creation (URLs, IDs, ARNs)

Template Example Core

📄 Simple CloudFormation Template

AWSTemplateFormatVersion: "2010-09-09"
Description: A simple web server stack

Parameters:
  InstanceType:
    Type: String
    Default: t3.micro
    AllowedValues: [t3.micro, t3.small, t3.medium]

Resources:
  WebServerSG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow HTTP
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0

  WebServer:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: !Ref InstanceType
      ImageId: ami-0abcdef1234567890
      SecurityGroupIds:
        - !Ref WebServerSG
      UserData:
        Fn::Base64: |
          #!/bin/bash
          yum install -y httpd
          systemctl start httpd

Outputs:
  PublicIP:
    Value: !GetAtt WebServer.PublicIp
    Description: Public IP of the web server

Key things to notice:

!Ref InstanceType — references the parameter value provided at deploy time
!Ref WebServerSG — references another resource (CloudFormation resolves the ID)
!GetAtt WebServer.PublicIp — gets an attribute from a created resource
CloudFormation creates the Security Group before the EC2 instance (it resolves the dependency automatically)

Resources Section Core

The Resources section is the heart of every template. Each resource has a logical name, a type, and properties:

🏷️

Logical Name

Your chosen name within the template (e.g., WebServer). Used for !Ref and cross-references. Must be unique in the template.

📦

Type

The AWS resource type (e.g., AWS::EC2::Instance, AWS::S3::Bucket). CloudFormation supports 800+ resource types.

⚙️

Properties

Configuration for the resource — instance type, VPC ID, tags, etc. Each resource type has its own set of required and optional properties.

Intrinsic Functions In-Depth

CloudFormation provides built-in functions for dynamic values, references, and logic within templates:

Function	Short Form	What It Does	Example
`Ref`	`!Ref`	Returns the value of a parameter or the ID of a resource	`!Ref MyBucket` → bucket name
`Fn::GetAtt`	`!GetAtt`	Gets a specific attribute from a resource	`!GetAtt MyELB.DNSName`
`Fn::Sub`	`!Sub`	String substitution with variables	`!Sub "arn:aws:s3:::${BucketName}"`
`Fn::Join`	`!Join`	Joins values with a delimiter	`!Join ["-", [prod, app, sg]]` → `prod-app-sg`
`Fn::Select`	`!Select`	Select an item from a list by index	`!Select [0, !GetAZs ""]` → first AZ
`Fn::Split`	`!Split`	Split a string into a list	`!Split [",", "a,b,c"]` → [a, b, c]
`Fn::ImportValue`	`!ImportValue`	Import an exported output from another stack	`!ImportValue NetworkStack-VpcId`
`Fn::FindInMap`	`!FindInMap`	Look up a value in the Mappings section	`!FindInMap [RegionMap, !Ref "AWS::Region", AMI]`
`Condition Functions`	`!If, !Equals, !And, !Or, !Not`	Conditional logic in templates	`!If [IsProd, m5.large, t3.micro]`

Pseudo Parameters In-Depth

CloudFormation provides built-in pseudo parameters that resolve at deploy time — you don't need to define them:

Pseudo Parameter	Returns	Common Use
`AWS::AccountId`	The AWS account ID (e.g., `123456789012`)	Building ARNs, policies
`AWS::Region`	The region the stack is deployed in	Region-specific AMI lookups
`AWS::StackName`	Name of the current stack	Tagging resources, naming conventions
`AWS::StackId`	Full ARN of the stack	Unique identifiers
`AWS::NoValue`	Removes a property when used with `!If`	Conditional property inclusion

What is a Stack? Core

A stack is a single unit of deployment — the collection of AWS resources created from one template. Stacks are the operational unit you interact with.

📦

Stack Properties

Has a unique name within a region
Tracks all resources it created
Has a lifecycle: CREATE → UPDATE → DELETE
Emits events for every resource operation
Supports tags (propagated to resources)

🔄

Stack Operations

Create — provision all resources from template
Update — modify resources (CloudFormation computes the diff)
Delete — tear down all resources (clean up)
Detect Drift — find manual changes made outside CloudFormation

Stack Lifecycle Core

Stack Lifecycle — State Machine

Stack Creation — What Happens Core

Stack Creation Flow

Template YAML uploaded

→

CloudFormation Parse & validate

→

Dependency Graph Resolve order

→

Stack Created Resources live

During creation, CloudFormation:

Validates the template syntax and resource types
Builds a dependency graph — knows VPC must exist before subnet, subnet before EC2
Creates resources in parallel where no dependency exists (faster)
Rolls back all changes if any resource fails to create (all-or-nothing)
Emits events for each resource (CREATE_IN_PROGRESS → CREATE_COMPLETE or CREATE_FAILED)

Update Behaviour In-Depth

When you update a stack, CloudFormation determines how each resource is affected. The impact depends on the property you changed:

Update Type	What Happens	Downtime?	Example
No interruption	Resource updated in-place, stays running	None	Changing EC2 tags, SG rules, Lambda code
Some interruption	Resource updated in-place, brief disruption	Brief	Changing EC2 instance type (requires stop/start)
Replacement	Resource deleted and recreated (new physical ID)	Yes	Changing EC2 AMI, RDS engine, VPC CIDR

👉 Always use Change Sets before updating production stacks. A Change Set shows you exactly which resources will be modified, replaced, or deleted — before you commit. Never blindly update a production stack.

Rollback Behaviour Core

✅

Create Rollback

If any resource fails during creation
All previously created resources are deleted
Stack status: ROLLBACK_COMPLETE
You must delete the stack and fix the template

🔄

Update Rollback

If any resource fails during update
All changes are reverted to previous state
Stack status: UPDATE_ROLLBACK_COMPLETE
Stack remains operational at the old configuration

Deletion & Retain Policy In-Depth

When you delete a stack, all resources are deleted by default. But you can override this with a DeletionPolicy:

DeletionPolicy	Behaviour	Use For
`Delete` (default)	Resource is deleted when stack is deleted	Ephemeral resources (dev, test)
`Retain`	Resource is kept even after stack deletion	Databases, S3 buckets with data, critical resources
`Snapshot`	Creates a snapshot before deleting (EBS, RDS, Redshift)	Databases where you want a backup before cleanup

👉 Always set DeletionPolicy: Retain on production databases and S3 buckets with important data. Without it, deleting the stack deletes your data permanently.

👉 Key Takeaway

Templates define what to build (Resources, Parameters, Outputs). Stacks are the live deployment — supporting create, update (with change sets), delete (with rollback), and drift detection. Use DeletionPolicy to protect critical data.

Chapter Three

Template Deep Dive

Parameters Core

Parameters make templates reusable by accepting input values at deploy time. Instead of hardcoding an instance type or environment name, you declare a parameter and let the user choose.

Parameters:
  Environment:
    Type: String
    Default: dev
    AllowedValues: [dev, staging, prod]
    Description: Deployment environment

  InstanceType:
    Type: String
    Default: t3.micro
    AllowedValues: [t3.micro, t3.small, t3.medium, t3.large]

  KeyPairName:
    Type: AWS::EC2::KeyPair::KeyName
    Description: Select an existing EC2 key pair

Property	Purpose	Example
`Type`	Data type of the parameter	`String`, `Number`, `CommaDelimitedList`, `AWS::EC2::VPC::Id`
`Default`	Value used if none provided	`t3.micro`
`AllowedValues`	Restrict to a list of valid options	`[dev, staging, prod]`
`AllowedPattern`	Regex validation	`"[a-zA-Z0-9]*"`
`MinLength / MaxLength`	String length constraints	`MinLength: 1`
`MinValue / MaxValue`	Numeric range constraints	`MinValue: 1, MaxValue: 100`
`NoEcho`	Mask the value (for passwords)	`NoEcho: true`
`ConstraintDescription`	Custom error message on validation fail	`"Must be a valid environment name"`

🏷️

AWS-Specific Parameter Types

AWS::EC2::VPC::Id — dropdown of VPCs
AWS::EC2::Subnet::Id — dropdown of subnets
AWS::EC2::KeyPair::KeyName — dropdown of key pairs
AWS::EC2::SecurityGroup::Id — dropdown of SGs
AWS::SSM::Parameter::Value<String> — from SSM Parameter Store

💡

Best Practices

Use AllowedValues to prevent invalid inputs
Use Default so dev deploys need zero input
Use NoEcho: true for passwords/secrets
Use SSM parameter types to read live values from Parameter Store
Limit parameters — too many makes templates hard to use

Mappings Core

Mappings are static lookup tables in the template — hardcoded key-value pairs used to select values based on conditions like region or environment. Unlike parameters, mappings are fixed at template authoring time.

Mappings:
  RegionAMI:
    us-east-1:
      HVM64: ami-0abcdef1111111111
    eu-west-1:
      HVM64: ami-0abcdef2222222222
    ap-southeast-1:
      HVM64: ami-0abcdef3333333333

Resources:
  WebServer:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !FindInMap [RegionAMI, !Ref "AWS::Region", HVM64]

The !FindInMap function takes three arguments: map name, first-level key, second-level key. This pattern is most commonly used for region-specific AMI IDs.

Conditions In-Depth

Conditions let you create resources or set properties only when certain criteria are met — typically based on parameter values.

Conditions:
  IsProd: !Equals [!Ref Environment, prod]
  CreateReadReplica: !And
    - !Equals [!Ref Environment, prod]
    - !Equals [!Ref EnableReplica, "true"]

Resources:
  ProdAlarm:
    Type: AWS::CloudWatch::Alarm
    Condition: IsProd          # Only created if Environment=prod
    Properties:
      AlarmName: HighCPU
      ...

Condition Function	Purpose	Example
`!Equals`	True if two values are equal	`!Equals [!Ref Env, prod]`
`!If`	Returns one of two values based on a condition	`!If [IsProd, m5.large, t3.micro]`
`!Not`	Negates a condition	`!Not [!Equals [!Ref Env, dev]]`
`!And`	True if ALL conditions are true	`!And [Condition: IsProd, Condition: HasDB]`
`!Or`	True if ANY condition is true	`!Or [Condition: IsProd, Condition: IsStaging]`

DependsOn In-Depth

CloudFormation automatically resolves dependencies when you use !Ref or !GetAtt. But sometimes you need to explicitly declare a dependency that CloudFormation cannot infer:

✅

Automatic (No DependsOn Needed)

!Ref WebServerSG in an EC2 resource → CloudFormation knows to create the SG first
!GetAtt MyDB.Endpoint.Address → DB created before the resource referencing it
Any !Ref or !GetAtt creates an implicit dependency

🔗

Explicit DependsOn Required

Resource depends on another but doesn't reference it
Example: EC2 instance needs an IGW attachment to exist (but doesn't !Ref it)
RDS instance depends on a VPC gateway attachment
Lambda depends on a log group being created first

Resources:
  IGWAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref MyVPC
      InternetGatewayId: !Ref MyIGW

  WebServer:
    Type: AWS::EC2::Instance
    DependsOn: IGWAttachment     # Explicit — wait for IGW attachment
    Properties:
      SubnetId: !Ref PublicSubnet
      ...

Outputs & Cross-Stack References In-Depth

Outputs export values from a stack — making them visible in the console and importable by other stacks. This is how you build multi-stack architectures.

# Stack A — Network Stack
Outputs:
  VpcId:
    Value: !Ref MyVPC
    Export:
      Name: NetworkStack-VpcId    # Globally unique export name

# Stack B — App Stack (imports from Stack A)
Resources:
  AppServer:
    Type: AWS::EC2::Instance
    Properties:
      SubnetId: !ImportValue NetworkStack-SubnetId

Cross-Stack References — Export & Import

Nested Stacks In-Depth

Nested stacks let you compose templates from reusable child templates. A parent template references child templates stored in S3. Each child becomes a resource of type AWS::CloudFormation::Stack.

🧩

When to Use Nested Stacks

Reuse common components (VPC, SG, IAM roles)
Break large templates into manageable pieces
Share a standard VPC template across teams
Overcome the 500-resource limit per stack

⚖️

Nested vs Cross-Stack

Nested: Parent manages child lifecycle (coupled)
Cross-Stack: Independent stacks linked via exports (decoupled)
Use nested for tightly coupled components
Use cross-stack for shared infrastructure (VPC, DNS)

Nested vs Cross-Stack Comparison In-Depth

Feature	Nested Stacks	Cross-Stack References
Lifecycle	Child managed by parent (create/update/delete together)	Independent stacks, independent lifecycles
Coupling	Tight — child is a resource in the parent	Loose — only linked via exported values
Reuse pattern	Template reuse (same child template in many parents)	Value sharing (one stack exports, another imports)
Update impact	Updating parent can trigger child updates	Updating exporter doesn't touch importer
Deletion order	Parent handles child deletion automatically	Must delete importers before exporters
Best for	Component reuse (standard VPC module)	Shared infra across teams/services

👉 Key Takeaway

Parameters make templates reusable, Mappings provide static lookups (AMI per region), Conditions enable environment-specific resources, DependsOn handles non-obvious ordering, and Outputs + ImportValue enable multi-stack architectures. Use nested stacks for component reuse; use cross-stack references for shared infrastructure.

Chapter Four

Stack Operations

Change Sets Core

A Change Set is a preview of proposed changes before they are applied to a stack. It shows exactly which resources will be added, modified, or replaced — without actually making any changes.

Change Set Workflow

✅

What Change Sets Show

Which resources will be Added
Which will be Modified (in-place)
Which will be Replaced (deleted + recreated)
Which will be Removed
Whether replacement will cause data loss

⚠️

What Change Sets Don't Show

Whether the update will succeed (permissions, limits)
Downstream impact on dependents
Cost impact of changes
Application-level impact (app downtime)
Still validate your changes in staging first!

👉 Always use Change Sets in production. Direct update-stack applies immediately with no preview. Change Sets give you a safety net — review, approve, then execute (or discard).

Stack Policies In-Depth

A Stack Policy is a JSON document that protects specific resources from unintended updates. Once applied, CloudFormation denies updates to protected resources unless you explicitly override.

🛡️

How Stack Policies Work

Attached to a stack (one policy per stack)
Default: all updates allowed (no policy)
Once applied: cannot be removed, only replaced
Deny by default — then whitelist what's allowed
Override temporarily during specific updates

🎯

Common Use Case

Protect production RDS from accidental replacement
Protect S3 buckets with critical data
Allow updates to EC2/Lambda but block database changes
Prevent accidental deletion of IAM roles

Drift Detection Core

Drift occurs when the actual state of a resource differs from what CloudFormation expects (the template). Someone manually changed a Security Group rule, resized an instance, or modified a bucket policy outside of CloudFormation.

Drift Detection — How It Works

Drift Status	Meaning
IN_SYNC	Resource matches the template — no drift
DRIFTED	One or more properties differ from template
NOT_CHECKED	Drift detection hasn't been run on this resource
DELETED	Resource was deleted outside of CloudFormation

Stack Sets In-Depth

Stack Sets let you deploy a single template across multiple AWS accounts and regions with one operation. Essential for organisations using AWS Organizations.

Stack Sets — One Template, Many Accounts & Regions

🏢

Deployment Targets

Specific account IDs
All accounts in an OU
All accounts in the org
Specific regions per account

⚙️

Operation Settings

Max concurrent — how many accounts at once
Failure tolerance — how many can fail before stopping
Region order — sequential or parallel
Automatic deployment for new accounts in OU

🎯

Common Use Cases

Security baseline across all accounts
Enable CloudTrail/Config everywhere
Deploy IAM roles/policies org-wide
Compliance guardrails (Control Tower uses Stack Sets)

Termination Protection Core

Termination protection prevents accidental stack deletion. When enabled, any delete-stack call is rejected until protection is explicitly disabled.

🔒

Enable For

Production stacks
Stacks with databases or persistent data
Shared infrastructure stacks (VPC, IAM)
Any stack where accidental deletion = disaster

📝

How to Enable

At creation: --enable-termination-protection
After creation: update-termination-protection
Console: Stack settings → Termination protection
Disable first → then delete (deliberate two-step)

Import Existing Resources In-Depth

CloudFormation can import existing AWS resources (created manually or by other tools) into a stack — without recreating them. This lets you bring unmanaged resources under IaC control.

Step	Action
1	Add the resource to your template with the correct type and properties
2	Add a `DeletionPolicy: Retain` (required for import)
3	Run `create-change-set --change-set-type IMPORT` with the resource identifier
4	Review the change set and execute
5	Resource is now managed by CloudFormation

👉 Resource import is powerful for brownfield environments — you don't need to tear down and rebuild existing infrastructure. Import it, and CloudFormation manages it going forward.

Stack Operations Summary Core

Operation	Purpose	Key Behaviour
Create Stack	Deploy new infrastructure	All-or-nothing; auto-rollback on failure
Update Stack	Modify existing resources	Use Change Sets first; rollback on failure
Delete Stack	Tear down all resources	Respects DeletionPolicy (Retain/Snapshot)
Change Set	Preview changes before applying	Safe — makes zero changes until executed
Drift Detection	Find manual/out-of-band changes	Compares template vs actual state
Stack Sets	Deploy across accounts/regions	Single template, many stack instances
Import	Bring existing resources into a stack	No recreation; requires DeletionPolicy: Retain
Termination Protection	Prevent accidental deletion	Must be explicitly disabled before delete

👉 Key Takeaway

Change Sets preview updates safely. Stack Policies protect critical resources. Drift Detection catches manual changes. Stack Sets deploy across multi-account/multi-region. Termination Protection prevents accidental deletion. Resource Import brings existing infrastructure under IaC control.

Chapter Five

Advanced Features

cfn-init — Instance Configuration In-Depth

cfn-init is CloudFormation's built-in configuration management tool. It runs on an EC2 instance at launch time and reads configuration instructions from the template's AWS::CloudFormation::Init metadata — installing packages, writing files, starting services, and more.

📦

packages

Install software via yum, apt, pip, or rpm. E.g., install Apache, Node.js, or Python packages.

📄

files

Write config files to disk with specific content, permissions, and ownership. E.g., write /etc/httpd/conf/httpd.conf.

⚙️

services

Enable and start system services. Restart them when specific files or packages change. E.g., auto-restart httpd on config change.

🔧

commands

Run arbitrary shell commands in order. E.g., run migrations, set permissions, download artifacts from S3.

👥

groups & users

Create Linux groups and users on the instance. E.g., create an appuser with specific UID/GID.

📁

sources

Download and extract archives (tar, zip) from URLs. E.g., pull app bundle from S3 and extract to /var/www.

cfn-init vs User Data In-Depth

Feature	User Data (bash script)	cfn-init
Format	Shell script (imperative)	Declarative metadata in template
Idempotent?	No — runs once, you manage idempotency	Yes — desired-state config
Service restarts	Manual handling	Auto-restart on file/package changes
Config sets	No concept	Group configs into ordered sets
Error handling	Check exit codes manually	Reports success/failure to CloudFormation
Best for	Simple installs, quick scripts	Complex multi-step server configuration

cfn-signal & CreationPolicy In-Depth

cfn-signal tells CloudFormation whether an instance successfully completed configuration. Without it, CloudFormation marks an EC2 instance as CREATE_COMPLETE the moment it launches — even if cfn-init hasn't finished or failed.

cfn-init + cfn-signal — Coordinated Bootstrap

📡

CreationPolicy

Attached to the EC2 or ASG resource in the template
Tells CloudFormation: "wait for N signals within timeout"
If signals not received → CREATE_FAILED → rollback
For ASGs: wait for MinSuccessfulInstancesPercent signals

⏱️

WaitCondition (Legacy)

Older mechanism — same idea as CreationPolicy
Uses a separate WaitConditionHandle resource
Can receive signals from external sources (not just the instance)
Prefer CreationPolicy for EC2/ASG; use WaitCondition for external coordination

Custom Resources In-Depth

Custom Resources let you extend CloudFormation beyond its built-in resource types. They invoke a Lambda function (or SNS topic) during stack create/update/delete — allowing you to do anything that AWS APIs can do.

Custom Resource — Lambda-Backed Flow

🎯

Common Use Cases

Populate an S3 bucket at stack creation (upload initial data)
Create DNS records in Route 53 hosted zones
Empty an S3 bucket before deletion (required — CFN can't delete non-empty buckets)
Call external APIs (Datadog, PagerDuty, Slack notifications)
Look up the latest AMI ID dynamically
Provision resources in services not yet supported by CFN

⚠️

Gotchas

Lambda must send a response to the S3 presigned URL — or CFN hangs
Handle all three events: Create, Update, Delete
If Lambda fails without sending response → stack stuck for 1 hour (timeout)
Always include error handling and logging
Prefer Custom::* type over AWS::CloudFormation::CustomResource

CloudFormation Helper Scripts Core

Script	Purpose	When to Use
`cfn-init`	Read metadata and configure the instance (packages, files, services)	Complex instance configuration instead of User Data scripts
`cfn-signal`	Signal CloudFormation that configuration is complete (or failed)	With CreationPolicy — so CFN waits for app readiness
`cfn-hup`	Daemon that detects metadata changes and re-runs cfn-init	When you want instances to auto-update on stack update
`cfn-get-metadata`	Retrieve metadata from a resource in the template	Debugging — inspect what metadata a resource has

👉 cfn-hup is the key to updating running instances. Without it, updating the Init metadata in a template only affects new instances. cfn-hup runs as a daemon, polls for metadata changes, and re-runs cfn-init — so existing instances pick up updates.

CloudFormation Registry & Modules In-Depth

📋

CloudFormation Registry

Catalogue of resource types, modules, and hooks
Includes AWS resources + third-party resources
E.g., Datadog::Monitors::Monitor, MongoDB::Atlas::Cluster
Register your own custom types with schemas and handlers
Versioned, discoverable, and type-safe

🧩

CloudFormation Modules

Reusable template fragments registered in the Registry
Package common patterns (e.g., "standard VPC" module)
Consumed as MODULE::* resource types in templates
Hides complexity — users specify simple properties
Versioned and shareable across the organisation

👉 Key Takeaway

cfn-init provides declarative instance configuration (packages, files, services); cfn-signal + CreationPolicy ensure CloudFormation waits for app readiness. Custom Resources extend CloudFormation via Lambda to handle any API call. cfn-hup keeps running instances in sync with template changes. The Registry enables third-party resources and reusable Modules.

Chapter Six

Patterns & Best Practices

Multi-Stack Architecture Core

In production, you should never put everything in one giant stack. Split your infrastructure into layered, loosely coupled stacks with independent lifecycles.

Recommended Multi-Stack Architecture

✅

Why Split Stacks

Independent lifecycles — update app without touching VPC
Blast radius — a failed app stack update won't break networking
Team ownership — network team owns VPC stack, app team owns app stack
Reuse — same VPC stack for dev/staging/prod
Limits — avoid the 500-resource-per-stack limit

⚠️

Anti-Patterns to Avoid

God stack — everything in one template (fragile, slow updates)
Circular exports — Stack A imports from B which imports from A
Hardcoded IDs — use !ImportValue or SSM parameters instead
No DeletionPolicy on databases — stack deletion = data loss
No Change Sets in production — blind updates are dangerous

CI/CD Integration Core

CloudFormation integrates naturally into CI/CD pipelines for automated infrastructure deployment:

CloudFormation in a CI/CD Pipeline

Template Best Practices Core

📋

Template Hygiene

Use YAML over JSON (more readable, supports comments)
Use Parameters — never hardcode account IDs, AMIs, or env names
Use Mappings for region-specific values (AMI per region)
Use Conditions for env-specific resources (alarms only in prod)
Validate with cfn-lint before deploying
Store templates in Git — full change history

🛡️

Safety & Protection

Enable Termination Protection on all prod stacks
Set DeletionPolicy: Retain on databases and S3 buckets
Use Stack Policies to protect critical resources from update
Always use Change Sets before updating production
Run Drift Detection regularly (weekly or in CI)
Tag all stacks — Environment, Team, CostCenter

Common Mistakes Introductory

Mistake	Why It's Bad	Fix
Everything in one stack	Slow updates, large blast radius, 500-resource limit	Split into network/security/data/app stacks
No DeletionPolicy on RDS	Delete stack = delete database = data gone	`DeletionPolicy: Snapshot` or `Retain`
Direct update without Change Set	Surprise replacements can delete data	Always create + review Change Set first
Hardcoded values	Template only works in one region/account	Use Parameters, Mappings, and `!Ref AWS::Region`
No cfn-signal on EC2	CFN marks instance complete before app starts	Add CreationPolicy + cfn-signal
Manual changes after deployment	Drift — template no longer matches reality	All changes through CloudFormation; run drift detection
Not using SSM for secrets	Secrets in plain text Parameters	Use `AWS::SSM::Parameter::Value` or Secrets Manager dynamic references

CloudFormation Limits Core

Limit	Value	Workaround
Resources per stack	500	Split into multiple stacks (nested or cross-stack)
Parameters per template	200	Use SSM parameters or Mappings instead
Outputs per template	200	Export only what's needed; use SSM for others
Template body size (inline)	51,200 bytes	Upload to S3 (up to 1 MB from S3)
Stacks per account per region	2,000	Request limit increase or consolidate
Exports per account per region	200	Use SSM parameters for sharing beyond 200

 CloudFormation — Complete Summary Templates — YAML/JSON files declaring infrastructure. Sections: Parameters, Mappings, Conditions, Resources (required), Outputs.
Stacks — Live deployment of a template. Lifecycle: Create → Update → Delete. Auto-rollback on failure.
Intrinsic Functions — !Ref, !GetAtt, !Sub, !FindInMap, !If, !ImportValue for dynamic templates.
Change Sets — Preview updates before applying. Shows adds, modifies, replacements, removals.
Cross-Stack References — Export/ImportValue for decoupled multi-stack architectures.
Stack Sets — Deploy one template across multiple accounts and regions (org-wide governance).
Drift Detection — Detect manual changes that diverge from the template.
cfn-init + cfn-signal — Declarative instance config + readiness signalling to CloudFormation.
Custom Resources — Lambda-backed extension for anything CloudFormation doesn't natively support.
Best Practices — Split stacks, use Change Sets, enable termination protection, DeletionPolicy on data, CI/CD pipeline integration.
 

👉 Key Takeaway

CloudFormation is the backbone of AWS infrastructure automation. Split infrastructure into layered stacks, protect production with Change Sets + Termination Protection + DeletionPolicy, integrate into CI/CD pipelines, and treat infrastructure with the same discipline as application code — versioned, reviewed, and tested.